backdoor_swiss_cheese.jpg

In this week’s news, Juniper locks the backdoor from an unwanted guest that looks to be state-sponsored.  Landry’s Inc., a restaurant chain is the latest victim of a PoS attack. AV-TEST, an independent software testing company, released their latest AV evaluation of 13 products on Mac OSX platforms demonstrating the hefty cost on user experience. Oracle settles with the FTC in not properly notifying customers that older versions of unpatched Java versions were left on their computers. 

Highlighting the cyber-security news from the past week in a 120 sec. read. Starting now.

 


Backdoors

Juniper announces an infiltration of a spy code that had been integrated within their firewall product/s could be state-sponsored due to the sophistication.

Why is this signficant?

  1. Security tools are intrusive. They are privy to user behavior and machine internals; they run as highly privileged processes; they “decide” for us what is good or bad. Gaining control over a security tool is an attacker’s dream come true.
  2. Only a few countries that have reached sophistication levels to create such a back door.  Taking a class in history, a 2013 German publication pointed to techniques that the NSA used to infiltrate hardware/software tools.  Also, within the document a technique termed “FEEDTHROUGH” describing software implants within Juniper NetScreen firewall.  It seems as though this publication was ignored and there wasn’t any further investigation.
  3. Following their rival’s finding, Cisco has ordered an audit of its code “ for similar malicious modification.” 

Receive the full story on ITWorld

Breaches

Landry’s Inc. restaurant chain is the latest affected by a PoS breach.

Why is this signficant?

  1. While still under investigation, the total number of restaurants involved is still a question.  Although, it could affect as many as 500 restaurants and may have started as early as May 2015.            
  2. To solve future instances of PoS attacks, Landry’s claimed they had already started implementing end to end encryption that was in process prior to the news release of the breach.  When it comes to encryption, the devil is in the details. The “end-to-end” encryption has to be thought of throughout the whole process and actual implementation. 
**For more information on the challenges, and solutions, against PoS breaches, we recommend our retail industry brief which can be found here** 

Read Landry's breach press release

Security Landscape

AV-TEST tested 13 different security programs for the Mac OS X in regards to efficacy and performance. 

Why is this signficant?

  1. “Of 13 popular antivirus programs, eight received perfect scores when it came to security detection, and only three failed outright”. 
  2. The test demonstrated the continuous friction of efficacy vs. usability. Unfortunately, every product tested, slowed down the system by at least 20 %. The number one solution adopter inhibitor? User experience. A negative impact on user experience will lead users to find ways to resist or circumvent any tool.

Read the full story on Tom's Guide 

Vulnerabilities

Oracle settles with the FTC on the poorly executed vulnerability patching of Java SE.  Updates to Java SE 6.10 or earlier, left previous versions on user’s machine without patching up those older versions. 

Why is this signficant?

  1. Oracle knew about the insufficiencies in the software update since 2011.  Yet Oracle fixed its patching process only 3 years later.
  2. Oracle failed to notify customers in a clear manner that the older vulnerable versions were left on their computers.
  3. Java SE is considered to be installed on 850M PCs, leaving a whopping amount of machines vulnerable to known attacks.

Read the full story on The Register